What is 'certificate revocation' and when is it used?
Certificate revocation invalidates a certificate before it expires. Common reasons: the private key was stolen, the certificate was mis-issued, or the server is decommissioned. Revocation is communicated via CRL or OCSP.
2 / 5
What is the difference between a CRL and OCSP in certificate revocation?
CRL is a downloadable list of revoked certificates published periodically by the CA — can be large and stale. OCSP is a real-time protocol where the client queries the CA for the revocation status of a specific certificate — more efficient and timely.
3 / 5
An alert says 'the certificate expires in 30 days'. What should happen next?
30-day expiry warnings are standard automated alerts. The team should begin the renewal process well before expiry — especially for manually managed certificates that require validation, approval, and deployment steps.
4 / 5
What is 'certificate rotation' in a production system?
Certificate rotation means replacing the current certificate (and often the private key) with a new one. In automated systems (e.g. with cert-manager on Kubernetes), rotation happens transparently. Manual rotation requires coordinated deployment of the new cert.
5 / 5
A browser shows 'NET::ERR_CERT_DATE_INVALID'. What does this error mean?
NET::ERR_CERT_DATE_INVALID (or 'certificate has expired') means the server's TLS certificate is past its notAfter date. Browsers refuse to complete the TLS handshake with an expired certificate, making the site inaccessible until a valid certificate is deployed.